From 1b45ff1a6f2c5c7cec4f0d64f90b863a20839360 Mon Sep 17 00:00:00 2001
From: "c1-dev-bot[bot]" <2740113+c1-dev-bot[bot]@users.noreply.github.com>
Date: Fri, 17 Apr 2026 00:37:18 +0000
Subject: [PATCH] fix: map repository permission display names to GitHub UI
 role names

GitHub's API uses "pull" and "push" as permission names, but the
GitHub UI displays these as "Read" and "Write" respectively. This
caused the "Read" role to appear as "Repo Pull" in ConductorOne,
making it impossible for users to find and provision the Read role.

Add a display name mapping so entitlements show the user-facing
GitHub role names (Read, Triage, Write, Maintain, Admin) instead
of the API permission names (pull, triage, push, maintain, admin).

Fixes: CXH-1380
---
 pkg/connector/repository.go | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/pkg/connector/repository.go b/pkg/connector/repository.go
index 0a712416..8824fe5e 100644
--- a/pkg/connector/repository.go
+++ b/pkg/connector/repository.go
@@ -39,6 +39,16 @@ var repoAccessLevels = []string{
 	repoPermissionAdmin,
 }
 
+// repoPermissionDisplayName maps GitHub API permission names to their
+// user-facing role names as shown in the GitHub UI.
+var repoPermissionDisplayName = map[string]string{
+	repoPermissionPull:     "Read",
+	repoPermissionTriage:   "Triage",
+	repoPermissionPush:     "Write",
+	repoPermissionMaintain: "Maintain",
+	repoPermissionAdmin:    "Admin",
+}
+
 // repositoryResource returns a new connector resource for a GitHub repository.
 func repositoryResource(ctx context.Context, repo *github.Repository, parentResourceID *v2.ResourceId) (*v2.Resource, error) {
 	ret, err := resourceSdk.NewResource(
@@ -132,9 +142,10 @@ func (o *repositoryResourceType) Entitlements(_ context.Context, resource *v2.Re
 func (o *repositoryResourceType) StaticEntitlements(_ context.Context, _ resourceSdk.SyncOpAttrs) ([]*v2.Entitlement, *resourceSdk.SyncOpResults, error) {
 	rv := make([]*v2.Entitlement, 0, len(repoAccessLevels))
 	for _, level := range repoAccessLevels {
+		displayName := repoPermissionDisplayName[level]
 		rv = append(rv, entitlement.NewPermissionEntitlement(nil, level,
-			entitlement.WithDisplayName(fmt.Sprintf("Repo %s", titleCase(level))),
-			entitlement.WithDescription(fmt.Sprintf("Access to repository in GitHub as %s", level)),
+			entitlement.WithDisplayName(fmt.Sprintf("Repo %s", displayName)),
+			entitlement.WithDescription(fmt.Sprintf("Access to repository in GitHub with %s role", displayName)),
 			entitlement.WithGrantableTo(resourceTypeUser, resourceTypeTeam),
 		))
 	}